Atomic update of access control list rules

ABSTRACT

There is disclosed in one example a network switching apparatus, including: a plurality ingress port; a plurality of egress ports; a ternary content addressable memory (TCAM) comprising a plurality of chunks, wherein the chunks can be atomically enabled or disabled; a switching circuit to switch traffic from the ingress port to a selected egress port according to an access control list (ACL) of the TCAM; and one or more non-transitory mediums having stored thereon instructions to atomically add or update two or more target rules, including: add the two or more target rules to one or more target-rule chunks; and atomically enable the target-rule chunks.

FIELD OF THE SPECIFICATION

This disclosure relates in general to the field of network fabrics, andmore particularly, though not exclusively, to a system and method forproviding atomic update of access control list rules.

BACKGROUND

In some modern data centers, the function of a device or appliance maynot be tied to a specific, fixed hardware configuration. Rather,processing, memory, storage, and accelerator functions may in some casesbe aggregated from different locations to form a virtual “compositenode.” A contemporary network may include a data center hosting a largenumber of generic hardware server devices, contained in a server rackfor example, and controlled by a hypervisor. Each hardware device mayrun one or more instances of a virtual device, such as a workload serveror virtual desktop.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is best understood from the following detaileddescription when read with the accompanying figures. It is emphasizedthat, in accordance with the standard practice in the industry, variousfeatures are not necessarily drawn to scale, and are used forillustration purposes only. Where a scale is shown, explicitly orimplicitly, it provides only one illustrative example. In otherembodiments, the dimensions of the various features may be arbitrarilyincreased or reduced for clarity of discussion.

FIGS. 1a and 1b are block diagrams of a network switch, includingswitching elements and a controller with a ternary content-addressablememory (TCAM) configuration register, according to one or more examplesof the present specification.

FIGS. 2-7 provide access control list (ACL) tables illustrating anatomic update operation, according to one or more examples of thepresent specification.

FIG. 8 is a flowchart of a method of providing atomic update of an ACLrule, according to one or more examples of the present specification.

FIG. 9 is a block diagram of selected components of a data center withconnectivity to a network of a cloud service provider (CSP), accordingto one or more examples of the present application.

FIG. 10 is a block diagram of selected components of an end-usercomputing device, according to one or more examples of the presentspecification.

FIG. 11 is a block diagram of components of a computing platform,according to one or more examples of the present specification.

FIG. 12 is a block diagram of a central processing unit (CPU), accordingto one or more examples of the present specification.

EMBODIMENTS OF THE DISCLOSURE

The following disclosure provides many different embodiments, orexamples, for implementing different features of the present disclosure.Specific examples of components and arrangements are described below tosimplify the present disclosure. These are, of course, merely examplesand are not intended to be limiting. Further, the present disclosure mayrepeat reference numerals and/or letters in the various examples. Thisrepetition is for the purpose of simplicity and clarity and does not initself dictate a relationship between the various embodiments and/orconfigurations discussed. Different embodiments may have differentadvantages, and no particular advantage is necessarily required of anyembodiment.

A contemporary computing platform, such as a hardware platform providedby Intel® or similar, may include a capability for monitoring deviceperformance and making decisions about resource provisioning. Forexample, in a large data center such as may be provided by a cloudservice provider (CSP), the hardware platform may include rackmountedservers with compute resources such as processors, memory, storagepools, accelerators, and other similar resources. As used herein, “cloudcomputing” includes network-connected computing resources and technologythat enables ubiquitous (often worldwide) access to data, resources,and/or technology. Cloud resources are generally characterized by greatflexibility to dynamically assign resources according to currentworkloads and needs. This can be accomplished, for example, viavirtualization, wherein resources such as hardware, storage, andnetworks are provided to a virtual machine (VM) via a softwareabstraction layer, and/or containerization, wherein instances of networkfunctions are provided in “containers” that are separated from oneanother, but that share underlying operating system, memory, and driverresources.

In embodiments of the present disclosure, a VM is an isolated partitionwithin a computing device that allows usage of an operating system andother applications, independent of other programs on the device in whichit is contained. VMs, containers, and similar may be genericallyreferred to as “guest” systems.

As used in the present specification, a processor includes anyprogrammable logic device with an instruction set. Processors may bereal or virtualized, local or remote, or in any other configuration. Aprocessor may include, by way of nonlimiting example, an Intel®processor (e.g., Xeon®, Core™, Pentium®, Atom®, Celeron®, x86, orothers). A processor may also include competing processors, such as AMD(e.g., Kx-series x86 workalikes, or Athlon, Opteron, or Epyc-series Xeonworkalikes), ARM processors, or IBM PowerPC and Power ISA processors, toname just a few.

A typical data center or other network environment includes a networkfabric, which may include a number of switches or other network elementsthat direct packets through the network. In this specification, anEthernet switch is used as an example of such a network element, butthis should be understood to be a nonlimiting example, and the Ethernetswitch described herein should be understood to stand for the entireclass of network elements that may be configured to provide the atomicupdate of ACL rules, as described in this specification.

A data center may require Ethernet switches to process large volumes offlow, route, and other table updates. Access control lists (ACLs) arecommonly used match-action constructs in such Ethernet switches. ACLssupport flow management, routing protocols, and other use casesrequiring wire speed packet classification. In other words, the ACL mustoperate very quickly so as not to become a bottleneck in the networkfabric.

Many functionalities require multiple ACLs to be present in the system,including use cases based on wild-carded keys or ranges of keys.Operational requirements or practical considerations may drive arequirement that ACL updates be performed non-disruptively, even whengroups of ACL rules are updated at the same time. Thus, the presentspecification provides a system and method of atomic update of ACL ruleswithout disruption to traffic flows.

An illustrative example of such a situation is a group of ACL rules thatmatch on an IP range, such as 1.2.3.10 through 1.2.3.15, with a dropaction. Notably, the range of this rule does not fall on a power of twoboundary. In other words, if the matching range were 1.2.3.0 through1.2.3.15, the rule could be handled with a 4-bit bit mask, e.g., bymatching 1.2.3.0/28. This bit mask would match every rule in the 1.2.3.0through 1.2.3.15 range. But because the desired range does not fallcleanly within that bit mask, six individual rules are required to coverthe individual values. For example:

1. Precedence 10 Rule Match 1.2.3.10→Drop

2. Precedence 10 Rule Match 1.2.3.11→Drop

3. Precedence 10 Rule Match 1.2.3.12→Drop

4. Precedence 10 Rule Match 1.2.3.13→Drop

5. Precedence 10 Rule Match 1.2.3.14→Drop

6. Precedence 10 Rule Match 1.2.3.15→Drop

Now consider a case where this group of rules is to be updated toredirect the frames to a port instead of dropping them. If the changesare made to all six rules serially, then while the changes are beingpropagated, some frames within the range will be directed to the outputport, while others will be dropped. This is undesirable behavior.

Some existing fabric switches use a mapper to remap multiple values to asingle value and have a single entry in the ACL table that matches onthe remapped value. For example:

Mapper Entries

1. Mapper entry 0 Match 1.2.3.10→Mapped Entry 1

2. Mapper entry 1 Match 1.2.3.11→Mapped Entry 1

3. Mapper entry 2 Match 1.2.3.12→Mapped Entry 1

4. Mapper entry 3 Match 1.2.3.13→Mapped Entry 1

5. Mapper entry 4 Match 1.2.3.14→Mapped Entry 1

6. Mapper entry 5 Match 1.2.3.15→Mapped Entry 1

The ACL entry that corresponds to this mapping would be: Precedence 10Rules Match Mapped Entry 1→Drop

This solution is however limited to applications where a mapper isexposed. The solution also does not scale well because the number ofmapper entries is generally limited. Furthermore, this solution onlyworks for range matching. Thus, if the preceding rules were modified sothat 1.2.3.15 is forwarded to a port while 1.2.3.16 is dropped, existingmappers could not handle this as a mapped rule.

Thus, to achieve true atomic updates, a policy may be enforced on theswitch by making sure that packets that ingress the pipeline match onthe original configuration or the desired modified configuration, butnone of the intermediate configurations. This can be achieved, forexample, by stopping the pipeline processing of incoming frames. ACLtable entries are then updated, and only once the table entries are allupdated does the pipeline resume processing of incoming frames.

While this solution results in atomic updates, it is disruptive to thepipeline because incoming frames are not processed while the ACLs arebeing modified. This can lead to packet loss and high jitter.Furthermore, this solution works only when the underlying hardware isable to apply the register modification at a fast pace. Potentiallyadvantageously, the system and method of the present specificationprovides an atomic update of ACL rules that is scalable so that thenumber of groups supported is not limited by anything other than theavailable size of the table. This solution is also not limited to rangematching, and it can be used to atomically enable or disable anarbitrary group of rules.

The method includes copying or moving rules in a non-disruptive way tospecified positions within the ACL table identified as discrete chunks.The transition is optimized to lowering register operation as much aspossible.

By way of example, the present specification provides ACLs supported bya TCAM-based network switch. Individual TCAM entries can be updatedatomically with individual activate and deactivate operations. The TCAMitself is divided up into discrete “chunks,” and chunks can be enabledand disabled simultaneously. For example, a TCAM may divide its tableinto 16 discrete chunks, with each chunk including 64 rules, or rows.Thus, the TCAM supports a total of 1024 total rules. The TCAM chunks canbe controlled atomically by a TCAM configuration register, or by otherconfiguration signals that can be sent on a bus in parallel. Chunks thatreceive an enable (e.g., a 1) are enabled, while chunks that receive adisable (e.g., 0) are disabled. Because all 16 chunks in the TCAM can besimultaneously enabled or disabled according to the configuration of theTCAM register, and because rules can be individually enabled anddisabled, atomic ACL updates can be effectively realized.

Further note that in the following examples, higher index TCAM entrieshave higher precedence in the case of multiple hits. For example, a rulewith priority 12 that matches 1.2.3.x will be processed before a rulewith priority 10 that matches 1.2.x.x. Thus, a more specific rule can beprocessed before a more general rule by giving the more specific rule ahigher priority number.

By way of illustration, atomic ACL updates can be realized as follows.

First, new entries are added with updated conditions and/or actions, andare designated as inactive when added. Because these rules are inactivewhen added, they will not be processed during the update operation.

Once the updated inactive rules are added, entries are moved in the TCAMaccording to the following criteria:

-   -   a. Entries that are not to be changed (i.e., “untouched        entries”) should reside on a chunk that does not include any        original source entries or their updated variance.    -   b. Source entries should be located on exclusive chunks with        respect to the entries' sorting order.    -   c. New entries should be located on an exclusive chunk with        respect to the entries' sorting order.

Once the new inactive entries have been added and entries have beenmoved to appropriate chunks, the chunk hosting the new entries may bedisabled. Now that the chunk is disabled, the entries within the chunkcan be activated at the physical row level without them affecting actualrouting. In other words, the entries are individually marked as active,but because they reside on a disabled chunk, they have no effect on therouting.

Once all of the new entries on the disabled chunk have been enabled,then the chunk with the new entries is enabled, while simultaneously thechunk with the source entries (i.e., the old entries that were updated)is disabled. Because the entire TCAM is controlled on a chunk-by-chunkbasis by a single register or bus, the enabling and disabling of chunkscan be performed atomically.

The TCAM now operates according to the desired update. The new rulesreside on the newly activated chunk, and are active, while the old rulesreside on the now deactivated chunk, and thus are not processed whetherthey are active or inactive.

Although the TCAM is now operating according to the atomic update, andis routing traffic appropriately, it also has one or more chunks thathave been disabled to realize the atomic update operation. To recapturethese chunks, the old entries can be marked as inactive or empty, orotherwise removed from active service, and the disabled chunk or chunkscan then be re-enabled.

FIGS. 2-7 below illustrate an operation of an atomic ACL update. ThoseFIGURES should be understood to provide a nonlimiting and illustrativeexample only. The illustrated example includes five rules being updatedatomically in a table that contains a total of ten various entries.These entries have different precedences, and are located in differentplaces throughout the TCAM. Advantageously, the precedence of the rulesis respected during the transition. New precedence is created to insertnew rules that carry the updated conditions and/or actions. Theillustrated TCAM provides a table with a size of 1024 rows divided into16 chunks with 64 rules in each chunk. It should be noted that theseexamples are illustrative only, and other table sizes and chunk sizesare possible. Furthermore, while in this example each chunk has anidentical size of 64 rules, this is also a nonlimiting example. In othercases, a table may be divided into chunks of non-uniform size.

As illustrated here, the precedence of a rule is a software abstractionthat actually defines the precedence of a rule with respect to the otherrules in the table. Rules can share the same precedence group if theposition of the rule inside the group is not important. For example, ifit is not important which rule of precedence 10 is processed first, thena plurality of rules can be assigned precedence 10. However, if it isnecessary for a rule to be processed before precedence 10 (e.g., theprecedence 10 rule is more general), then the second rule can beprovided with a higher precedence, such as precedence 12.

In the illustrated example, the source entries including destination IPaddresses (DIPs) are as follows:

1. Precedence 10 Rule Match DIP 1.x.x.x→Permit

2. Precedence 11 Rule Match DIP 1.2.x.x→Redirect Port 4

3. Precedence 11 Rule Match DIP 7.8.x.x→Redirect Port 3

4. Precedence 20 Rule Match DIP 7.8.9.x→Flood

5. Precedence 21 Rule Match DIP 7.8.9.10→Drop

In this case, the precedence 21 rule will be processed first, theprecedence 20 rule will be processed next, the two precedence 11 ruleswill be processed next (in any order), and the precedence 10 rule willbe processed last. Note that the table may also include other rules ofother precedences. In a common TCAM, rules of higher precedence must belocated at higher addresses of the TCAM than rules of lower precedence.This enables the TCAM content to be searched in a top-down fashion,starting at the highest address, and moving to the lowest. Thus,precedence 21 rules must reside on a higher row number than precedence20 rules, precedence 20 rules must reside on a higher row number thanprecedence 11 rules, the precedence 11 rules can reside in a row or rowsthat match their precedence, but the precedence 11 rules must bothreside on rows with higher row numbers than the precedence 10 rule. Therules above are to be updated as follows:

1. Precedence 12 Rule Match DIP 1.x.x.x→Permit+Count

2. Precedence 13 Rule Match DIP 1.2.x.x→Drop+Count

3. Precedence 13 Rule Match DIP 7.8.x.x→Drop+Count

4. Precedence 22 Rule Match DIP 7.8.9.x→Drop

5. Precedence 23 Rule Match DIP 7.8.9.200→Permit

To highlight the changes to be made, rule 1 is to be modified by addinga count action. Rule 2 is to be modified by changing its action todrop+count. Rule 3 is to be modified by changing its action todrop+count. Rule 4 is to be modified by changing its action from floodto drop. Rule 5 is to be modified by changing the DIP from 7.8.9.10 to7.8.9.200, and by modifying the rule from drop to permit. This can beaccomplished atomically according to the method discussed above.

A system and method for providing atomic update of access control listrules will now be described with more particular reference to theattached FIGURES. It should be noted that throughout the FIGURES,certain reference numerals may be repeated to indicate that a particulardevice or block is wholly or substantially consistent across theFIGURES. This is not, however, intended to imply any particularrelationship between the various embodiments disclosed. In certainexamples, a genus of elements may be referred to by a particularreference numeral (“widget 10”), while individual species or examples ofthe genus may be referred to by a hyphenated numeral (“first specificwidget 10-1” and “second specific widget 10-2”).

FIGS. 1a and 1b are block diagrams of a network switch, includingswitching elements and a controller 104 with a ternarycontent-addressable memory (TCAM) configuration register, according toone or more examples of the present specification.

In the example of FIG. 1a , network switch 100 includes a plurality ofingress ports 112 serviced by a plurality of ingress physical layers(PHYs) 108. Network switch 100 also provides a plurality of egress ports116 serviced by a plurality of egress PHYs 114. A controller 104provides switching logic or a switching circuit to direct traffic fromingress ports 112 to egress ports 116. Processor 134 may includesoftware to configure controller 104 and to modify ACL rules table 142.ACL rules engine 140 may be part of controller 104, or may be a separatecircuit such as an application-specific integrated circuit (ASIC), ormay be part of a system-on-a-chip. ACL rules engine 140 uses ACL rulestable 142 to make decisions about switching traffic from ingress ports112 to egress ports 116. In some embodiments, processor 134, controller104, ACL rules engine 140, and ACL rules table 142 may all be part of asingle system-on-a-chip. Controller 104 may also include random accessmemory 120, with non-transitory instructions stored on a flash 122.Switch 100 is powered by a power circuit 126. In some cases, indicators130 such as LEDs or other human-visible indicators may be used toprovide status information at a glance.

In practice, some packets at ingress ports 112 may be deterministicallyswitched to an egress port 116, such as in the case where only a singleroute is provided for that packet. But in many practical cases, aplurality of egress ports 116 provides a plurality of equally validroutes for a packet arriving at ingress ports 112.

In the example of FIG. 1b , controller 104 may include a TCAMconfiguration register 150. TCAM configuration register 150 can be usedto atomically enable or disable chunks of a TCAM 160. TCAM 160 may be,for example, part of ACL rules table 142. In this example, TCAM 160includes chunks 0 through 15. Each chunk includes 64 entries for a totalof 1024 entries in TCAM 160. Note that other sizes of TCAMs and chunksare possible.

TCAM configuration register 150 includes enable flags 152. For example,TCAM configuration register 150 may include a 16-bit field, with eachbit flag representing enable or disable for a chunk of TCAM 160. Thus, asingle value can be written to TCAM configuration register 150, and allof the chunks within TCAM 160 can be simultaneously updated to an enableor disable status.

FIGS. 2-7 provide ACL tables illustrating an atomic update operation,according to one or more examples of the present specification. ACLtable 200 includes one or more ACL tables having a plurality of chunksthat can be simultaneously enabled or disabled.

Turning to FIG. 2, an ACL table 200 is illustrated. ACL table 200 may behosted, for example, within TCAM 160 of FIG. 1b . ACL table 200 includesa number of rows, which may be numbered 0 through 1023, with a state ofeither active or inactive assigned to each row. Each row also includes aprecedence, which increases as the row number increases. Finally, ACLtable 200 includes a condition and action mapping, which illustrates thecondition to match to the entry, and an action to take for eachcondition. Also identified in ACL table 200 is the chunk to which eachrow belongs, as well as the state of each chunk per-entry.

As discussed in the description above, five of these rules are to beatomically updated. Namely, row 132 with precedence 10 is to be changedfrom match DIP 1.x.x.x→permit to precedence 12 match DIP1.x.x.x→permit+count.

Row 385 precedence 11 match DIP 1.2.x.x→redirect port 4 is to be changedto precedence 13 match DIP 1.2.x.x→drop+count.

Row 386 precedence 11 match DIP 7.8.x.x→redirect port 3 is to be changedto precedence 13 match DIP 7.8.x.x→drop+count.

Row 388 precedence 20 is to be changed from match DIP 7.8.9.x→flood toprecedence 22 match DIP 7.8.9.x→drop.

Row 389 precedence 21 is to be changed from match DIP 7.8.9.10→drop toprecedence 23 match DIP 7.8.9.200→permit.

Turning now to FIG. 3, ACL table 200 is updated with new inactiveentries that reflect the updated rules. But first, space must be freedup to add new entries with precedence 12 and 13 and new entries withprecedence 22 and 23. Thus, two new rules are added at rows 382 and 383.Because these rules have the exact same match condition and the sameaction, and are of the same precedence, they will have no effect onrouting performed by the network switch. Note that the two new ruleshave been added to chunk 5, while the two original rules at row 385 and386 are within chunk 6. To make room for rules with precedence 22 and23, a copy of the former row 390 is made and placed in row 392.

Turning now to FIG. 4, the rules in rows 384, 385, and 390 are nowsuperfluous. These rules can therefore be deleted without affectingrouting. There is now once again one copy of each rule, but there is nowspace to add entries with precedence 12, 13, 22, and 23. Note that atthis point, no actual changes have been made in the routing behavior.Entries have simply been moved to create room for the new entries.

Turning now to FIG. 5, new rows 384, 385, 386, 390, and 391 are added tothe table. Specifically, new row 384 is added with status inactive. Row384 has the updated match and action of DIP 1.x.x.x→permit+count. Row385 has the updated condition+action of DIP 1.2.x.x→drop+count, row 386has the new match+count of DIP 7.8.x.x→drop+count, row 390 has the newcondition+action of DIP 7.8.9.x→drop, and row 391 has the newcondition+action of DIP 7.8.9.200→permit. Note that each of these ruleshas also been assigned the correct updated precedence. Row 384 hasprecedence 12, row 385 has precedence 13, row 386 has precedence 13, row390 has precedence 22, and row 391 has precedence 23. Also note that, inFIG. 5, the new inactive rules have been grouped conveniently into asingle chunk, which can be atomically enabled or disabled.

Turning now to FIGS. 6a-6c , entries may now be moved so that theoriginal active entries all reside on separate chunks from the newinactive entries. This is to ensure that the new entries can beactivated while the old entries are simultaneously inactivated. Entriesmay be moved according to the following rules:

Untouched or unmodified entries should reside on a chunk that does notinclude either an original source entry or a new or updated entry.

Original source entries should be located on exclusive chunks, withregard to those entries' sorting order. For example, in FIG. 6a , row132 resides on chunk 2, and because this rule is to be deactivated, noother active rules should be located on chunk 2. For simplicity of thedrawing, only row 132 of Chunk 2 is shown. Chunk 2 also includes rows128-131, and 133-191, which may, for example, be empty and inactive.Rows 382 and 383 reside on chunk 5. Because these are old entries thatare to be deactivated, no other entries should reside on chunk 5.

Further illustrated in FIG. 6a , rows 512 and 513 reside on chunk 8, andbecause these rules will be atomically deactivated, no other rulesshould reside on chunk 8. Rows 512 and 513 cannot be grouped onto chunk5 with rows 382 and 383, because this would place them out-of-order withrespect to rows 384 through 386, which have precedences 12 and 13.

In FIG. 6b , ACL table 200 is now arranged so that all of the old rules(“source entries”) are grouped onto chunks with no other entries. Newentries are also grouped onto exclusive chunks with no other entries.These chunks are selected and sorted so that an atomic operation thatsimultaneously activates and deactivates chunks will result in animmediate switch from the old policy to the new policy without anydisruption.

As illustrated in FIG. 6c , the old rules and the new rules have beensorted into dedicated chunks, and now the new rules can be activated.Note that activating rows 384, 385, 386, 576, and 577 will have noeffect on the current routing of the switch, because chunks 6 and 9 arecurrently inactive. It may be necessary to maintain these chunks intheir disabled state, because individual rows cannot be activated anddeactivated atomically the way that chunks can be atomically enabled anddisabled. Once rows 384, 385, 386, 576, and 577 have finished beingactivated, the processor can operate the TCAM configuration register tosimultaneously enable chunks 6 and 9, while disabling chunks 2, 5, and8. Once those chunks have been atomically enabled and disabled, theswitch begins operating according to the updated policy as desired.However, there are now superfluous entries in ACL table 200.Furthermore, the deactivated chunks are not available for use in rules.It is therefore desirable to clear rows 132, 382, 383, and 513 so thatchunks 2, 5, and 8 can be re-enabled without affecting the operation ofthe switch.

This result is reflected in FIG. 7, where the five entries have beenupdated, and all chunks are now enabled.

FIG. 8 is a flowchart of a method of providing atomic update of an ACLrule, according to one or more examples of the present specification.

In block 804, existing rules may be moved to free up space for the newrules. This movement can include accounting for the precedence that newrules are to have, and to ensure that there is room to insert the newrules. As illustrated in FIG. 3, this can include creating duplicaterules with the same precedence as the original rules. This ensures thatthe new duplicate rules do not affect actual routing within the switch.

In block 808, new or updated rules are added to the table, and each isassigned the status of inactive. Again, the rules are inserted into thetable without affecting routing because the rules are added as disabled.This is illustrated in FIG. 5, where the new and updated rules areadded.

In block 812, the rules are rearranged according to the chunk criteria.This includes ensuring that untouched entries are part of a chunk thatdoes not include any source entries or new or updated entries. Originalor source entries are located on exclusive chunks selected with respectto the entry sorting order. New entries are also located on exclusivechunks selected with respect to the entry sorting order.

In block 816, the chunks that contain new or updated entries aredisabled. This ensures that entries within those chunks can be operatedon without affecting routing.

In block 820, the new and updated entries on the currently disabledchunks are each activated. Although they cannot be activated atomically,the piecewise activation of these entries does not result in changes tothe routing, because the chunks that host them are disabled.

In block 824, chunks containing old entries and chunks containing new orupdated entries are simultaneously disabled and enabled, respectively.This ensures that the update to the ACL table occurs atomically so thatthe switch is made from the old policy to the new policy without anyintermediate routing.

In block 828, entries in disabled chunks can now be removed to free upspace. The disabled chunks can then be re-enabled so that they areavailable for use in the ACL table. In block 898, the method is done.

FIG. 9 is a block diagram of selected components of a data center 900with connectivity to a network of a cloud service provider (CSP) 902,according to one or more examples of the present specification.Embodiments of data center 900 disclosed herein may be adapted orconfigured to provide the method of atomic update of access control listrules, according to the teachings of the present specification.

CSP 902 may be, by way of nonlimiting example, a traditional enterprisedata center, an enterprise “private cloud,” or a “public cloud,”providing services such as infrastructure as a service (IaaS), platformas a service (PaaS), or software as a service (SaaS). In some cases, CSP902 may provide, instead of or in addition to cloud services,high-performance computing (HPC) platforms or services. Indeed, whilenot expressly identical, HPC clusters (“supercomputers”) may bestructurally similar to cloud data centers, and unless and except whereexpressly specified, the teachings of this specification may be appliedto either.

CSP 902 may provision some number of workload clusters 918, which may beclusters of individual servers, blade servers, rackmount servers, or anyother suitable server topology. In this illustrative example, twoworkload clusters, 918-1 and 918-2 are shown, each providing rackmountservers 946 in a chassis 948.

In this illustration, workload clusters 918 are shown as modularworkload clusters conforming to the rack unit (“U”) standard, in which astandard rack, 19 inches wide, may be built to accommodate 42 units(42U), each 1.75 inches high and approximately 36 inches deep. In thiscase, compute resources such as processors, memory, storage,accelerators, and switches may fit into some multiple of rack units fromone to 42.

Each server 946 may host a standalone operating system and provide aserver function, or servers may be virtualized, in which case they maybe under the control of a virtual machine manager (VMM), hypervisor,and/or orchestrator, and may host one or more virtual machines, virtualservers, or virtual appliances. These server racks may be collocated ina single data center, or may be located in different geographic datacenters. Depending on the contractual agreements, some servers 946 maybe specifically dedicated to certain enterprise clients or tenants,while others may be shared.

The various devices in a data center may be connected to each other viaa switching fabric 970, which may include one or more high speed routingand/or switching devices. Switching fabric 970 may provide both“north-south” traffic (e.g., traffic to and from the wide area network(WAN), such as the internet), and “east-west” traffic (e.g., trafficacross the data center). Historically, north-south traffic accounted forthe bulk of network traffic, but as web services become more complex anddistributed, the volume of east-west traffic has risen. In many datacenters, east-west traffic now accounts for the majority of traffic.

Furthermore, as the capability of each server 946 increases, trafficvolume may further increase. For example, each server 946 may providemultiple processor slots, with each slot accommodating a processorhaving four to eight cores, along with sufficient memory for the cores.Thus, each server may host a number of VMs, each generating its owntraffic.

To accommodate the large volume of traffic in a data center, a highlycapable switching fabric 970 may be provided. Switching fabric 970 isillustrated in this example as a “flat” network, wherein each server 946may have a direct connection to a top-of-rack (ToR) switch 920 (e.g., a“star” configuration), and each ToR switch 920 may couple to a coreswitch 930. This two-tier flat network architecture is shown only as anillustrative example. In other examples, other architectures may beused, such as three-tier star or leaf-spine (also called “fat tree”topologies) based on the “Clos” architecture, hub-and-spoke topologies,mesh topologies, ring topologies, or 3-D mesh topologies, by way ofnonlimiting example.

The fabric itself may be provided by any suitable interconnect. Forexample, each server 946 may include an Intel® Host Fabric Interface(HFI), a network interface card (NIC), a host channel adapter (HCA), orother host interface. For simplicity and unity, these may be referred tothroughout this specification as a “host fabric interface” (HFI), whichshould be broadly construed as an interface to communicatively couplethe host to the data center fabric. The HFI may couple to one or morehost processors via an interconnect or bus, such as PCI, PCIe, orsimilar. In some cases, this interconnect bus, along with other “local”interconnects (e.g., core-to-core Ultra Path Interconnect) may beconsidered to be part of fabric 970. In other embodiments, the UltraPath Interconnect (UPI) (or other local coherent interconnect) may betreated as part of the secure domain of the processor complex, and thusnot part of the fabric.

The interconnect technology may be provided by a single interconnect ora hybrid interconnect, such as where PCIe provides on-chipcommunication, 1 Gb or 10 Gb copper Ethernet provides relatively shortconnections to a ToR switch 920, and optical cabling provides relativelylonger connections to core switch 930. Interconnect technologies thatmay be found in the data center include, by way of nonlimiting example,Intel® Omni-Path™ Architecture (OPA), TrueScale™, Ultra PathInterconnect (UPI) (formerly called QPI or KTI), FibreChannel, Ethernet,FibreChannel over Ethernet (FCoE), InfiniBand, PCI, PCIe, or fiberoptics, to name just a few. The fabric may be cache- andmemory-coherent, cache- and memory-non-coherent, or a hybrid of coherentand non-coherent interconnects. Some interconnects are more popular forcertain purposes or functions than others, and selecting an appropriatefabric for the instant application is an exercise of ordinary skill. Forexample, OPA and Infiniband are commonly used in high-performancecomputing (HPC) applications, while Ethernet and FibreChannel are morepopular in cloud data centers. But these examples are expresslynonlimiting, and as data centers evolve fabric technologies similarlyevolve.

In embodiments of the present specification, cache coherency is a memoryarchitecture that provides uniform sharing and mapping between aplurality of caches. For example, the caches may map to the same addressspace. If two different caches have cached the same address in theshared address space, a coherency agent provides logic (hardware and/orsoftware) to ensure the compatibility and uniformity of shared resource.For example, if two caches have cached the same address, when the valuestored in that address is updated in one cache, the coherency agentensures that the change is propagated to the other cache. Coherency maybe maintained, for example, via “snooping,” wherein each cache monitorsthe address lines of each other cache, and detects updates. Cachecoherency may also be maintained via a directory-based system, in whichshared data are placed in a shared directory that maintains coherency.Some distributed shared memory architectures may also provide coherency,for example by emulating the foregoing mechanisms.

Coherency may be either “snoopy” or directory-based. In snoopyprotocols, coherency may be maintained via write-invalidate, wherein afirst cache that snoops a write to the same address in a second cacheinvalidates its own copy. This forces a read from memory if a programtries to read the value from the first cache. Alternatively, inwrite-update, a first cache snoops a write to a second cache, and acache controller (which may include a coherency agent) copies the dataout and updates the copy in the first cache.

By way of nonlimiting example, current cache coherency models includeMSI (modified, shared, invalid), MESI (modified, exclusive, shared,invalid), MOSI (modified, owned, shared, invalid), MOESI (modified,owned, exclusive, shared, invalid), MERSI (modified, exclusive,read-only or recent, shared, invalid), MESIF (modified, exclusive,shared, invalid, forward), write-once, Synapse, Berkeley, Firefly, andDragon protocols. Furthermore, ARM processors may use advancedmicrocontroller bus architecture (AMBA), including AMBA 4 ACE, toprovide cache coherency in systems-on-a-chip (SoCs) or elsewhere.

Note that while high-end fabrics such as OPA are provided herein by wayof illustration, more generally, fabric 970 may be any suitableinterconnect or bus for the particular application. This could, in somecases, include legacy interconnects like local area networks (LANs),token ring networks, synchronous optical networks (SONET), asynchronoustransfer mode (ATM) networks, wireless networks such as WiFi andBluetooth, “plain old telephone system” (POTS) interconnects, orsimilar. It is also expressly anticipated that in the future, newnetwork technologies may arise to supplement or replace some of thoselisted here, and any such future network topologies and technologies canbe or form a part of fabric 970.

In certain embodiments, fabric 970 may provide communication services onvarious “layers,” as originally outlined in the Open SystemsInterconnection (OSI) seven-layer network model. In contemporarypractice, the OSI model is not followed strictly. In general terms,layers 1 and 2 are often called the “Ethernet” layer (though in somedata centers or supercomputers, Ethernet may be supplanted orsupplemented by newer technologies). Layers 3 and 4 are often referredto as the transmission control protocol/internet protocol (TCP/IP) layer(which may be further subdivided into TCP and IP layers). Layers 5-7 maybe referred to as the “application layer.” These layer definitions aredisclosed as a useful framework, but are intended to be nonlimiting.

FIG. 10 is a block diagram of an end-user computing device 1000,according to one or more examples of the present specification.Embodiments of computing device 1000 disclosed herein may be adapted orconfigured to provide the method of atomic update of access control listrules, according to the teachings of the present specification.

As above, computing device 1000 may provide, as appropriate, cloudservice, high-performance computing, telecommunication services,enterprise data center services, or any other compute services thatbenefit from a computing device 1000.

In this example, a fabric 1070 is provided to interconnect variousaspects of computing device 1000. Fabric 1070 may be the same as fabric970 of FIG. 9, or may be a different fabric. As above, fabric 1070 maybe provided by any suitable interconnect technology. In this example,Intel® Omni-Path™ is used as an illustrative and nonlimiting example.

As illustrated, computing device 1000 includes a number of logicelements forming a plurality of nodes. It should be understood that eachnode may be provided by a physical server, a group of servers, or otherhardware. Each server may be running one or more virtual machines asappropriate to its application.

Node 0 1008 is a processing node including a processor socket 0 andprocessor socket 1. The processors may be, for example, Intel® Xeon™processors with a plurality of cores, such as 4 or 8 cores. Node 0 1008may be configured to provide network or workload functions, such as byhosting a plurality of virtual machines or virtual appliances.

Onboard communication between processor socket 0 and processor socket 1may be provided by an onboard uplink 1078. This may provide a very highspeed, short-length interconnect between the two processor sockets, sothat virtual machines running on node 0 1008 can communicate with oneanother at very high speeds. To facilitate this communication, a virtualswitch (vSwitch) may be provisioned on node 0 1008, which may beconsidered to be part of fabric 1070.

Node 0 1008 connects to fabric 1070 via an HFI 1072. HFI 1072 mayconnect to an Intel® Omni-Path™ fabric. In some examples, communicationwith fabric 1070 may be tunneled, such as by providing UPI tunnelingover Omni-Path™.

Because computing device 1000 may provide many functions in adistributed fashion that in previous generations were provided onboard,a highly capable HFI 1072 may be provided. HFI 1072 may operate atspeeds of multiple gigabits per second, and in some cases may be tightlycoupled with node 0 1008. For example, in some embodiments, the logicfor HFI 1072 is integrated directly with the processors on asystem-on-a-chip. This provides very high speed communication betweenHFI 1072 and the processor sockets, without the need for intermediarybus devices, which may introduce additional latency into the fabric.However, this is not to imply that embodiments where HFI 1072 isprovided over a traditional bus are to be excluded. Rather, it isexpressly anticipated that in some examples, HFI 1072 may be provided ona bus, such as a PCIe bus, which is a serialized version of PCI thatprovides higher speeds than traditional PCI. Throughout computing device1000, various nodes may provide different types of HFIs 1072, such asonboard HFIs and plug-in HFIs. It should also be noted that certainblocks in a system-on-a-chip may be provided as intellectual property(IP) blocks that can be “dropped” into an integrated circuit as amodular unit. Thus, HFI 1072 may in some cases be derived from such anIP block.

Note that in “the network is the device” fashion, node 0 1008 mayprovide limited or no onboard memory or storage. Rather, node 0 1008 mayrely primarily on distributed services, such as a memory server and anetworked storage server. Onboard, node 0 1008 may provide onlysufficient memory and storage to bootstrap the device and get itcommunicating with fabric 1070. This kind of distributed architecture ispossible because of the very high speeds of contemporary data centers,and may be advantageous because there is no need to over-provisionresources for each node. Rather, a large pool of high speed orspecialized memory may be dynamically provisioned between a number ofnodes, so that each node has access to a large pool of resources, butthose resources do not sit idle when that particular node does not needthem.

In this example, a node 1 memory server 1004 and a node 2 storage server1010 provide the operational memory and storage capabilities of node 01008. For example, memory server node 1 1004 may provide remote directmemory access (RDMA), whereby node 0 1008 may access memory resources onnode 1 1004 via fabric 1070 in a direct memory access fashion, similarto how it would access its own onboard memory. The memory provided bymemory server 1004 may be traditional memory, such as double data ratetype 3 (DDR3) dynamic random access memory (DRAM), which is volatile, ormay be a more exotic type of memory, such as a persistent fast memory(PFM) like Intel® 3D Crosspoint™ (3DXP), which operates at DRAM-likespeeds, but is nonvolatile.

Similarly, rather than providing an onboard hard disk for node 0 1008, astorage server node 2 1010 may be provided. Storage server 1010 mayprovide a networked bunch of disks (NBOD), PFM, redundant array ofindependent disks (RAID), redundant array of independent nodes (RAIN),network attached storage (NAS), optical storage, tape drives, or othernonvolatile memory solutions.

Thus, in performing its designated function, node 0 1008 may accessmemory from memory server 1004 and store results on storage provided bystorage server 1010. Each of these devices couples to fabric 1070 via aHFI 1072, which provides fast communication that makes thesetechnologies possible.

By way of further illustration, node 3 1006 is also depicted. Node 31006 also includes a HFI 1072, along with two processor socketsinternally connected by an uplink. However, unlike node 0 1008, node 31006 includes its own onboard memory 1022 and storage 1050. Thus, node 31006 may be configured to perform its functions primarily onboard, andmay not be required to rely upon memory server 1004 and storage server1010. However, in appropriate circumstances, node 3 1006 may supplementits own onboard memory 1022 and storage 1050 with distributed resourcessimilar to node 0 1008.

Computing device 1000 may also include accelerators 1030. These mayprovide various accelerated functions, including hardware orco-processor acceleration for functions such as packet processing,encryption, decryption, compression, decompression, network security, orother accelerated functions in the data center. In some examples,accelerators 1030 may include deep learning accelerators that may bedirectly attached to one or more cores in nodes such as node 0 1008 ornode 3 1006. Examples of such accelerators can include, by way ofnonlimiting example, Intel® QuickData Technology (QDT), Intel®QuickAssist Technology (QAT), Intel® Direct Cache Access (DCA), Intel®Extended Message Signaled Interrupt (MSI-X), Intel® Receive SideCoalescing (RSC), and other acceleration technologies.

In other embodiments, an accelerator could also be provided as an ASIC,field-programmable gate array (FPGA), co-processor, graphics processingunit (GPU), digital signal processor (DSP), or other processing entity,which may optionally be tuned or configured to provide the acceleratorfunction.

The basic building block of the various components disclosed herein maybe referred to as “logic elements.” Logic elements may include hardware(including, for example, a software-programmable processor, an ASIC, oran FPGA), external hardware (digital, analog, or mixed-signal),software, reciprocating software, services, drivers, interfaces,components, modules, algorithms, sensors, components, firmware,microcode, programmable logic, or objects that can coordinate to achievea logical operation. Furthermore, some logic elements are provided by atangible, non-transitory computer-readable medium having stored thereonexecutable instructions for instructing a processor to perform a certaintask. Such a non-transitory medium could include, for example, a harddisk, solid state memory or disk, read-only memory (ROM), PFM (e.g.,Intel® 3D Crosspoint™), external storage, RAID, RAIN, NAS, opticalstorage, tape drive, backup system, cloud storage, or any combination ofthe foregoing by way of nonlimiting example. Such a medium could alsoinclude instructions programmed into an FPGA, or encoded in hardware onan ASIC or processor.

FIG. 11 is a block diagram of components of a computing platform 1102Aaccording to one or more examples of the present specification.Embodiments of computing platform 1102A disclosed herein may be adaptedor configured to provide the method of atomic update of access controllist rules, according to the teachings of the present specification.

In the embodiment depicted, platforms 1102A, 1102B, and 1102C, alongwith a data center management platform 1106 and data analytics engine1104 are interconnected via network 1108. In other embodiments, acomputer system may include any suitable number of (i.e., one or more)platforms. In some embodiments (e.g., when a computer system onlyincludes a single platform), all or a portion of the system managementplatform 1106 may be included on a platform 1102. A platform 1102 mayinclude platform logic 1110 with one or more central processing units(CPUs) 1112, memories 1114 (which may include any number of differentmodules), chipsets 1116, communication interfaces 1118, and any othersuitable hardware and/or software to execute a hypervisor 1120 or otheroperating system capable of executing workloads associated withapplications running on platform 1102. In some embodiments, a platform1102 may function as a host platform for one or more guest systems 1122that invoke these applications. Platform 1102A may represent anysuitable computing environment, such as a high-performance computingenvironment, a data center, a communications service providerinfrastructure (e.g., one or more portions of an Evolved Packet Core),an in-memory computing environment, a computing system of a vehicle(e.g., an automobile or airplane), an Internet of Things environment, anindustrial control system, other computing environment, or combinationthereof.

In various embodiments of the present disclosure, accumulated stressand/or rates of stress accumulated of a plurality of hardware resources(e.g., cores and uncores) are monitored and entities (e.g., systemmanagement platform 1106, hypervisor 1120, or other operating system) ofcomputer platform 1102A may assign hardware resources of platform logic1110 to perform workloads in accordance with the stress information. Insome embodiments, self-diagnostic capabilities may be combined with thestress monitoring to more accurately determine the health of thehardware resources. Each platform 1102 may include platform logic 1110.Platform logic 1110 comprises, among other logic enabling thefunctionality of platform 1102, one or more CPUs 1112, memory 1114, oneor more chipsets 1116, and communication interfaces 1128. Although threeplatforms are illustrated, computer platform 1102A may be interconnectedwith any suitable number of platforms. In various embodiments, aplatform 1102 may reside on a circuit board that is installed in achassis, rack, or other suitable structure that comprises multipleplatforms coupled together through network 1108 (which may comprise,e.g., a rack or backplane switch).

CPUs 1112 may each comprise any suitable number of processor cores andsupporting logic (e.g., uncores). The cores may be coupled to eachother, to memory 1114, to at least one chipset 1116, and/or to acommunication interface 1118, through one or more controllers residingon CPU 1112 and/or chipset 1116. In particular embodiments, a CPU 1112is embodied within a socket that is permanently or removably coupled toplatform 1102A. Although four CPUs are shown, a platform 1102 mayinclude any suitable number of CPUs.

Memory 1114 may comprise any form of volatile or nonvolatile memoryincluding, without limitation, magnetic media (e.g., one or more tapedrives), optical media, random access memory (RAM), ROM, flash memory,removable media, or any other suitable local or remote memory componentor components. Memory 1114 may be used for short, medium, and/or longterm storage by platform 1102A. Memory 1114 may store any suitable dataor information utilized by platform logic 1110, including softwareembedded in a computer-readable medium, and/or encoded logicincorporated in hardware or otherwise stored (e.g., firmware). Memory1114 may store data that is used by cores of CPUs 1112. In someembodiments, memory 1114 may also comprise storage for instructions thatmay be executed by the cores of CPUs 1112 or other processing elements(e.g., logic resident on chipsets 1116) to provide functionalityassociated with the manageability engine 1126 or other components ofplatform logic 1110. A platform 1102 may also include one or morechipsets 1116 comprising any suitable logic to support the operation ofthe CPUs 1112. In various embodiments, chipset 1116 may reside on thesame die or package as a CPU 1112 or on one or more different dies orpackages. Each chipset may support any suitable number of CPUs 1112. Achipset 1116 may also include one or more controllers to couple othercomponents of platform logic 1110 (e.g., communication interface 1118 ormemory 1114) to one or more CPUs. In the embodiment depicted, eachchipset 1116 also includes a manageability engine 1126. Manageabilityengine 1126 may include any suitable logic to support the operation ofchipset 1116. In a particular embodiment, a manageability engine 1126(which may also be referred to as an innovation engine) is capable ofcollecting real-time telemetry data from the chipset 1116, the CPU(s)1112 and/or memory 1114 managed by the chipset 1116, other components ofplatform logic 1110, and/or various connections between components ofplatform logic 1110. In various embodiments, the telemetry datacollected includes the stress information described herein.

In various embodiments, a manageability engine 1126 operates as anout-of-band asynchronous compute agent which is capable of interfacingwith the various elements of platform logic 1110 to collect telemetrydata with no or minimal disruption to running processes on CPUs 1112.For example, manageability engine 1126 may comprise a dedicatedprocessing element (e.g., a processor, controller, or other logic) onchipset 1116, which provides the functionality of manageability engine1126 (e.g., by executing software instructions), thus conservingprocessing cycles of CPUs 1112 for operations associated with theworkloads performed by the platform logic 1110. Moreover the dedicatedlogic for the manageability engine 1126 may operate asynchronously withrespect to the CPUs 1112 and may gather at least some of the telemetrydata without increasing the load on the CPUs.

A manageability engine 1126 may process telemetry data it collects(specific examples of the processing of stress information are providedherein). In various embodiments, manageability engine 1126 reports thedata it collects and/or the results of its processing to other elementsin the computer system, such as one or more hypervisors 1120 or otheroperating systems and/or system management software (which may run onany suitable logic such as system management platform 1106). Inparticular embodiments, a critical event such as a core that hasaccumulated an excessive amount of stress may be reported prior to thenormal interval for reporting telemetry data (e.g., a notification maybe sent immediately upon detection).

Additionally, manageability engine 1126 may include programmable codeconfigurable to set which CPU(s) 1112 a particular chipset 1116 managesand/or which telemetry data may be collected.

Chipsets 1116 also each include a communication interface 1128.Communication interface 1128 may be used for the communication ofsignaling and/or data between chipset 1116 and one or more I/O devices,one or more networks 1108, and/or one or more devices coupled to network1108 (e.g., system management platform 1106). For example, communicationinterface 1128 may be used to send and receive network traffic such asdata packets. In a particular embodiment, a communication interface 1128comprises one or more physical network interface controllers (NICs),also known as network interface cards or network adapters. A NIC mayinclude electronic circuitry to communicate using any suitable physicallayer (PHY) and data link layer standard such as Ethernet (e.g., asdefined by a IEEE 802.3 standard), Fibre Channel, InfiniBand, Wi-Fi, orother suitable standard. A NIC may include one or more physical portsthat may couple to a cable (e.g., an Ethernet cable). A NIC may enablecommunication between any suitable element of chipset 1116 (e.g.,manageability engine 1126 or switch 1130) and another device coupled tonetwork 1108. In various embodiments a NIC may be integrated with thechipset (i.e., may be on the same integrated circuit or circuit board asthe rest of the chipset logic) or may be on a different integratedcircuit or circuit board that is electromechanically coupled to thechipset.

In particular embodiments, communication interfaces 1128 may allowcommunication of data (e.g., between the manageability engine 1126 andthe data center management platform 1106) associated with management andmonitoring functions performed by manageability engine 1126. In variousembodiments, manageability engine 1126 may utilize elements (e.g., oneor more NICs) of communication interfaces 1128 to report the telemetrydata (e.g., to system management platform 1106) in order to reserveusage of NICs of communication interface 1118 for operations associatedwith workloads performed by platform logic 1110.

Switches 1130 may couple to various ports (e.g., provided by NICs) ofcommunication interface 1128 and may switch data between these ports andvarious components of chipset 1116 (e.g., one or more PeripheralComponent Interconnect Express (PCIe) lanes coupled to CPUs 1112).Switches 1130 may be a physical or virtual (i.e., software) switch.

Platform logic 1110 may include an additional communication interface1118. Similar to communication interfaces 1128, communication interfaces1118 may be used for the communication of signaling and/or data betweenplatform logic 1110 and one or more networks 1108 and one or moredevices coupled to the network 1108. For example, communicationinterface 1118 may be used to send and receive network traffic such asdata packets. In a particular embodiment, communication interfaces 1118comprise one or more physical NICs. These NICs may enable communicationbetween any suitable element of platform logic 1110 (e.g., CPUs 1112 ormemory 1114) and another device coupled to network 1108 (e.g., elementsof other platforms or remote computing devices coupled to network 1108through one or more networks).

Platform logic 1110 may receive and perform any suitable types ofworkloads. A workload may include any request to utilize one or moreresources of platform logic 1110, such as one or more cores orassociated logic. For example, a workload may comprise a request toinstantiate a software component, such as an I/O device driver 1124 orguest system 1122; a request to process a network packet received from avirtual machine 1132 or device external to platform 1102A (such as anetwork node coupled to network 1108); a request to execute a process orthread associated with a guest system 1122, an application running onplatform 1102A, a hypervisor 1120 or other operating system running onplatform 1102A; or other suitable processing request.

A virtual machine 1132 may emulate a computer system with its owndedicated hardware. A virtual machine 1132 may run a guest operatingsystem on top of the hypervisor 1120. The components of platform logic1110 (e.g., CPUs 1112, memory 1114, chipset 1116, and communicationinterface 1118) may be virtualized such that it appears to the guestoperating system that the virtual machine 1132 has its own dedicatedcomponents.

A virtual machine 1132 may include a virtualized NIC (vNIC), which isused by the virtual machine as its network interface. A vNIC may beassigned a media access control (MAC) address or other identifier, thusallowing multiple virtual machines 1132 to be individually addressablein a network.

VNF 1134 may comprise a software implementation of a functional buildingblock with defined interfaces and behavior that can be deployed in avirtualized infrastructure. In particular embodiments, a VNF 1134 mayinclude one or more virtual machines 1132 that collectively providespecific functionalities (e.g., WAN optimization, virtual privatenetwork (VPN) termination, firewall operations, load-balancingoperations, security functions, etc.). A VNF 1134 running on platformlogic 1110 may provide the same functionality as traditional networkcomponents implemented through dedicated hardware. For example, a VNF1134 may include components to perform any suitable NFV workloads, suchas virtualized evolved packet core (vEPC) components, mobilitymanagement entities, 3rd Generation Partnership Project (3GPP) controland data plane components, etc.

SFC 1136 is a group of VNFs 1134 organized as a chain to perform aseries of operations, such as network packet processing operations.Service function chaining may provide the ability to define an orderedlist of network services (e.g. firewalls, load balancers) that arestitched together in the network to create a service chain.

A hypervisor 1120 (also known as a virtual machine monitor) may compriselogic to create and run guest systems 1122. The hypervisor 1120 maypresent guest operating systems run by virtual machines with a virtualoperating platform (i.e., it appears to the virtual machines that theyare running on separate physical nodes when they are actuallyconsolidated onto a single hardware platform) and manage the executionof the guest operating systems by platform logic 1110. Services ofhypervisor 1120 may be provided by virtualizing in software or throughhardware assisted resources that require minimal software intervention,or both. Multiple instances of a variety of guest operating systems maybe managed by the hypervisor 1120. Each platform 1102 may have aseparate instantiation of a hypervisor 1120.

Hypervisor 1120 may be a native or bare-metal hypervisor that runsdirectly on platform logic 1110 to control the platform logic and managethe guest operating systems. Alternatively, hypervisor 1120 may be ahosted hypervisor that runs on a host operating system and abstracts theguest operating systems from the host operating system. Hypervisor 1120may include a virtual switch 1138 that may provide virtual switchingand/or routing functions to virtual machines of guest systems 1122. Thevirtual switch 1138 may comprise a logical switching fabric that couplesthe vNICs of the virtual machines 1132 to each other, thus creating avirtual network through which virtual machines may communicate with eachother.

Virtual switch 1138 may comprise a software element that is executedusing components of platform logic 1110. In various embodiments,hypervisor 1120 may be in communication with any suitable entity (e.g.,a SDN controller) which may cause hypervisor 1120 to reconfigure theparameters of virtual switch 1138 in response to changing conditions inplatform 1102 (e.g., the addition or deletion of virtual machines 1132or identification of optimizations that may be made to enhanceperformance of the platform).

Hypervisor 1120 may also include resource allocation logic 1144, whichmay include logic for determining allocation of platform resources basedon the telemetry data (which may include stress information). Resourceallocation logic 1144 may also include logic for communicating withvarious components of platform logic 1110 entities of platform 1102A toimplement such optimization, such as components of platform logic 1110.

Any suitable logic may make one or more of these optimization decisions.For example, system management platform 1106; resource allocation logic1144 of hypervisor 1120 or other operating system; or other logic ofcomputer platform 1102A may be capable of making such decisions. Invarious embodiments, the system management platform 1106 may receivetelemetry data from and manage workload placement across multipleplatforms 1102. The system management platform 1106 may communicate withhypervisors 1120 (e.g., in an out-of-band manner) or other operatingsystems of the various platforms 1102 to implement workload placementsdirected by the system management platform.

The elements of platform logic 1110 may be coupled together in anysuitable manner. For example, a bus may couple any of the componentstogether. A bus may include any known interconnect, such as a multi-dropbus, a mesh interconnect, a ring interconnect, a point-to-pointinterconnect, a serial interconnect, a parallel bus, a coherent (e.g.cache coherent) bus, a layered protocol architecture, a differentialbus, or a Gunning transceiver logic (GTL) bus.

Elements of the computer platform 1102A may be coupled together in anysuitable manner such as through one or more networks 1108. A network1108 may be any suitable network or combination of one or more networksoperating using one or more suitable networking protocols. A network mayrepresent a series of nodes, points, and interconnected communicationpaths for receiving and transmitting packets of information thatpropagate through a communication system. For example, a network mayinclude one or more firewalls, routers, switches, security appliances,antivirus servers, or other useful network devices.

FIG. 12 illustrates a block diagram of a central processing unit (CPU)1212 in accordance with certain embodiments. Embodiments of CPU 1212disclosed herein may be adapted or configured to provide the method ofatomic update of access control list rules, according to the teachingsof the present specification.

Although CPU 1212 depicts a particular configuration, the cores andother components of CPU 1212 may be arranged in any suitable manner. CPU1212 may comprise any processor or processing device, such as amicroprocessor, an embedded processor, a digital signal processor (DSP),a network processor, an application processor, a co-processor, an SoC,or other device to execute code. CPU 1212, in the depicted embodiment,includes four processing elements (cores 1230 in the depictedembodiment), which may include asymmetric processing elements orsymmetric processing elements. However, CPU 1212 may include any numberof processing elements that may be symmetric or asymmetric.

Examples of hardware processing elements include: a thread unit, athread slot, a thread, a process unit, a context, a context unit, alogical processor, a hardware thread, a core, and/or any other element,which is capable of holding a state for a processor, such as anexecution state or architectural state. In other words, a processingelement, in one embodiment, refers to any hardware capable of beingindependently associated with code, such as a software thread, operatingsystem, application, or other code. A physical processor (or processorsocket) typically refers to an integrated circuit, which potentiallyincludes any number of other processing elements, such as cores orhardware threads.

A core may refer to logic located on an integrated circuit capable ofmaintaining an independent architectural state, wherein eachindependently maintained architectural state is associated with at leastsome dedicated execution resources. A hardware thread may refer to anylogic located on an integrated circuit capable of maintaining anindependent architectural state, wherein the independently maintainedarchitectural states share access to execution resources. A physical CPUmay include any suitable number of cores. In various embodiments, coresmay include one or more out-of-order processor cores or one or morein-order processor cores. However, cores may be individually selectedfrom any type of core, such as a native core, a software managed core, acore adapted to execute a native instruction set architecture (ISA), acore adapted to execute a translated ISA, a co-designed core, or otherknown core. In a heterogeneous core environment (i.e. asymmetric cores),some form of translation, such as binary translation, may be utilized toschedule or execute code on one or both cores.

In the embodiment depicted, core 1230A includes an out-of-orderprocessor that has a front end unit 1270 used to fetch incominginstructions, perform various processing (e.g. caching, decoding, branchpredicting, etc.) and passing instructions/operations along to anout-of-order (OOO) engine. The OOO engine performs further processing ondecoded instructions.

A front end 1270 may include a decode module coupled to fetch logic todecode fetched elements. Fetch logic, in one embodiment, includesindividual sequencers associated with thread slots of cores 1230.Usually a core 1230 is associated with a first ISA, whichdefines/specifies instructions executable on core 1230. Often machinecode instructions that are part of the first ISA include a portion ofthe instruction (referred to as an opcode), which references/specifiesan instruction or operation to be performed. The decode module mayinclude circuitry that recognizes these instructions from their opcodesand passes the decoded instructions on in the pipeline for processing asdefined by the first ISA. Decoders of cores 1230, in one embodiment,recognize the same ISA (or a subset thereof). Alternatively, in aheterogeneous core environment, a decoder of one or more cores (e.g.,core 1230B) may recognize a second ISA (either a subset of the first ISAor a distinct ISA).

In the embodiment depicted, the out-of-order engine includes an allocateunit 1282 to receive decoded instructions, which may be in the form ofone or more micro-instructions or uops, from front end unit 1270, andallocate them to appropriate resources such as registers and so forth.Next, the instructions are provided to a reservation station 1284, whichreserves resources and schedules them for execution on one of aplurality of execution units 1286A-1286N. Various types of executionunits may be present, including, for example, arithmetic logic units(ALUs), load and store units, vector processing units (VPUs), floatingpoint execution units, among others. Results from these differentexecution units are provided to a reorder buffer (ROB) 1288, which takeunordered results and return them to correct program order.

In the embodiment depicted, both front end unit 1270 and out-of-orderengine 1280 are coupled to different levels of a memory hierarchy.Specifically shown is an instruction level cache 1272, that in turncouples to a mid-level cache 1276, that in turn couples to a last levelcache 1295. In one embodiment, last level cache 1295 is implemented inan on-chip (sometimes referred to as uncore) unit 1290. Uncore 1290 maycommunicate with system memory 1299, which, in the illustratedembodiment, is implemented via embedded DRAM (eDRAM). The variousexecution units 1286 within OOO engine 1280 are in communication with afirst level cache 1274 that also is in communication with mid-levelcache 1276. Additional cores 1230B-1230D may couple to last level cache1295 as well.

In particular embodiments, uncore 1290 may be in a voltage domain and/ora frequency domain that is separate from voltage domains and/orfrequency domains of the cores. That is, uncore 1290 may be powered by asupply voltage that is different from the supply voltages used to powerthe cores and/or may operate at a frequency that is different from theoperating frequencies of the cores.

CPU 1212 may also include a power control unit (PCU) 1240. In variousembodiments, PCU 1240 may control the supply voltages and the operatingfrequencies applied to each of the cores (on a per-core basis) and tothe uncore. PCU 1240 may also instruct a core or uncore to enter an idlestate (where no voltage and clock are supplied) when not performing aworkload.

In various embodiments, PCU 1240 may detect one or more stresscharacteristics of a hardware resource, such as the cores and theuncore. A stress characteristic may comprise an indication of an amountof stress that is being placed on the hardware resource. As examples, astress characteristic may be a voltage or frequency applied to thehardware resource; a power level, current level, or voltage level sensedat the hardware resource; a temperature sensed at the hardware resource;or other suitable measurement. In various embodiments, multiplemeasurements (e.g., at different locations) of a particular stresscharacteristic may be performed when sensing the stress characteristicat a particular instance of time. In various embodiments, PCU 1240 maydetect stress characteristics at any suitable interval.

In various embodiments, PCU 1240 is a component that is discrete fromthe cores 1230. In particular embodiments, PCU 1240 runs at a clockfrequency that is different from the clock frequencies used by cores1230. In some embodiments where the PCU is a microcontroller, PCU 1240executes instructions according to an ISA that is different from an ISAused by cores 1230.

In various embodiments, CPU 1212 may also include a nonvolatile memory1250 to store stress information (such as stress characteristics,incremental stress values, accumulated stress values, stressaccumulation rates, or other stress information) associated with cores1230 or uncore 1290, such that when power is lost, the stressinformation is maintained.

The foregoing outlines features of one or more embodiments of thesubject matter disclosed herein. These embodiments are provided toenable a person having ordinary skill in the art (PHOSITA) to betterunderstand various aspects of the present disclosure. Certainwell-understood terms, as well as underlying technologies and/orstandards may be referenced without being described in detail. It isanticipated that the PHOSITA will possess or have access to backgroundknowledge or information in those technologies and standards sufficientto practice the teachings of the present specification.

The PHOSITA will appreciate that they may readily use the presentdisclosure as a basis for designing or modifying other processes,structures, or variations for carrying out the same purposes and/orachieving the same advantages of the embodiments introduced herein. ThePHOSITA will also recognize that such equivalent constructions do notdepart from the spirit and scope of the present disclosure, and thatthey may make various changes, substitutions, and alterations hereinwithout departing from the spirit and scope of the present disclosure.

In the foregoing description, certain aspects of some or all embodimentsare described in greater detail than is strictly necessary forpracticing the appended claims. These details are provided by way ofnonlimiting example only, for the purpose of providing context andillustration of the disclosed embodiments. Such details should not beunderstood to be required, and should not be “read into” the claims aslimitations. The phrase may refer to “an embodiment” or “embodiments.”These phrases, and any other references to embodiments, should beunderstood broadly to refer to any combination of one or moreembodiments. Furthermore, the several features disclosed in a particular“embodiment” could just as well be spread across multiple embodiments.For example, if features 1 and 2 are disclosed in “an embodiment,”embodiment A may have feature 1 but lack feature 2, while embodiment Bmay have feature 2 but lack feature 1.

This specification may provide illustrations in a block diagram format,wherein certain features are disclosed in separate blocks. These shouldbe understood broadly to disclose how various features interoperate, butare not intended to imply that those features must necessarily beembodied in separate hardware or software. Furthermore, where a singleblock discloses more than one feature in the same block, those featuresneed not necessarily be embodied in the same hardware and/or software.For example, a computer “memory” could in some circumstances bedistributed or mapped between multiple levels of cache or local memory,main memory, battery-backed volatile memory, and various forms ofpersistent memory such as a hard disk, storage server, optical disk,tape drive, or similar. In certain embodiments, some of the componentsmay be omitted or consolidated. In a general sense, the arrangementsdepicted in the figures may be more logical in their representations,whereas a physical architecture may include various permutations,combinations, and/or hybrids of these elements. Countless possibledesign configurations can be used to achieve the operational objectivesoutlined herein. Accordingly, the associated infrastructure has a myriadof substitute arrangements, design choices, device possibilities,hardware configurations, software implementations, and equipmentoptions.

References may be made herein to a computer-readable medium, which maybe a tangible and non-transitory computer-readable medium. As used inthis specification and throughout the claims, a “computer-readablemedium” should be understood to include one or more computer-readablemediums of the same or different types. A computer-readable medium mayinclude, by way of nonlimiting example, an optical drive (e.g.,CD/DVD/Blu-Ray), a hard drive, a solid state drive, a flash memory, orother nonvolatile medium. A computer-readable medium could also includea medium such as a ROM, an FPGA or ASIC configured to carry out thedesired instructions, stored instructions for programming an FPGA orASIC to carry out the desired instructions, an intellectual property(IP) block that can be integrated in hardware into other circuits, orinstructions encoded directly into hardware or microcode on a processorsuch as a microprocessor, digital signal processor (DSP),microcontroller, or in any other suitable component, device, element, orobject where appropriate and based on particular needs. A non-transitorystorage medium herein is expressly intended to include anynon-transitory special-purpose or programmable hardware configured toprovide the disclosed operations, or to cause a processor to perform thedisclosed operations.

Various elements may be “communicatively,” “electrically,”“mechanically,” or otherwise “coupled” to one another throughout thisspecification and the claims. Such coupling may be a direct,point-to-point coupling, or may include intermediary devices. Forexample, two devices may be communicatively coupled to one another via acontroller that facilitates the communication. Devices may beelectrically coupled to one another via intermediary devices such assignal boosters, voltage dividers, or buffers. Mechanically coupleddevices may be indirectly mechanically coupled.

Any “module” or “engine” disclosed herein may refer to or includesoftware, a software stack, a combination of hardware, firmware, and/orsoftware, a circuit configured to carry out the function of the engineor module, or any computer-readable medium as disclosed above. Suchmodules or engines may, in appropriate circumstances, be provided on orin conjunction with a hardware platform, which may include hardwarecompute resources such as a processor, memory, storage, interconnects,networks and network interfaces, accelerators, or other suitablehardware. Such a hardware platform may be provided as a singlemonolithic device (e.g., in a PC form factor), or with some or part ofthe function being distributed (e.g., a “composite node” in a high-enddata center, where compute, memory, storage, and other resources may bedynamically allocated and need not be local to one another).

There may be disclosed herein flow charts, signal flow diagram, or otherillustrations showing operations being performed in a particular order.Unless otherwise expressly noted, or unless required in a particularcontext, the order should be understood to be a nonlimiting exampleonly. Furthermore, in cases where one operation is shown to followanother, other intervening operations may also occur, which may berelated or unrelated. Some operations may also be performedsimultaneously or in parallel. In cases where an operation is said to be“based on” or “according to” another item or operation, this should beunderstood to imply that the operation is based at least partly on oraccording at least partly to the other item or operation. This shouldnot be construed to imply that the operation is based solely orexclusively on, or solely or exclusively according to the item oroperation.

All or part of any hardware element disclosed herein may readily beprovided in an SoC, including a central processing unit (CPU) package.An SoC represents an integrated circuit (IC) that integrates componentsof a computer or other electronic system into a single chip. Thus, forexample, client devices or server devices may be provided, in whole orin part, in an SoC. The SoC may contain digital, analog, mixed-signal,and radio frequency functions, all of which may be provided on a singlechip substrate. Other embodiments may include a multichip module (MCM),with a plurality of chips located within a single electronic package andconfigured to interact closely with each other through the electronicpackage.

In a general sense, any suitably-configured circuit or processor canexecute any type of instructions associated with the data to achieve theoperations detailed herein. Any processor disclosed herein couldtransform an element or an article (for example, data) from one state orthing to another state or thing. Furthermore, the information beingtracked, sent, received, or stored in a processor could be provided inany database, register, table, cache, queue, control list, or storagestructure, based on particular needs and implementations, all of whichcould be referenced in any suitable timeframe. Any of the memory orstorage elements disclosed herein, should be construed as beingencompassed within the broad terms “memory” and “storage,” asappropriate.

Computer program logic implementing all or part of the functionalitydescribed herein is embodied in various forms, including, but in no waylimited to, a source code form, a computer executable form, machineinstructions or microcode, programmable hardware, and variousintermediate forms (for example, forms generated by an assembler,compiler, linker, or locator). In an example, source code includes aseries of computer program instructions implemented in variousprogramming languages, such as an object code, an assembly language, ora high-level language such as OpenCL, FORTRAN, C, C++, JAVA, or HTML foruse with various operating systems or operating environments, or inhardware description languages such as Spice, Verilog, and VHDL. Thesource code may define and use various data structures and communicationmessages. The source code may be in a computer executable form (e.g.,via an interpreter), or the source code may be converted (e.g., via atranslator, assembler, or compiler) into a computer executable form, orconverted to an intermediate form such as byte code. Where appropriate,any of the foregoing may be used to build or describe appropriatediscrete or integrated circuits, whether sequential, combinatorial,state machines, or otherwise.

In one example embodiment, any number of electrical circuits of theFIGURES may be implemented on a board of an associated electronicdevice. The board can be a general circuit board that can hold variouscomponents of the internal electronic system of the electronic deviceand, further, provide connectors for other peripherals. Any suitableprocessor and memory can be suitably coupled to the board based onparticular configuration needs, processing demands, and computingdesigns. Note that with the numerous examples provided herein,interaction may be described in terms of two, three, four, or moreelectrical components. However, this has been done for purposes ofclarity and example only. It should be appreciated that the system canbe consolidated or reconfigured in any suitable manner. Along similardesign alternatives, any of the illustrated components, modules, andelements of the FIGURES may be combined in various possibleconfigurations, all of which are within the broad scope of thisspecification.

Numerous other changes, substitutions, variations, alterations, andmodifications may be ascertained to one skilled in the art and it isintended that the present disclosure encompass all such changes,substitutions, variations, alterations, and modifications as fallingwithin the scope of the appended claims. In order to assist the UnitedStates Patent and Trademark Office (USPTO) and, additionally, anyreaders of any patent issued on this application in interpreting theclaims appended hereto, Applicant wishes to note that the Applicant: (a)does not intend any of the appended claims to invoke paragraph six (6)of 35 U.S.C. section 112 (pre-AIA) or paragraph (f) of the same section(post-AIA), as it exists on the date of the filing hereof unless thewords “means for” or “steps for” are specifically used in the particularclaims; and (b) does not intend, by any statement in the specification,to limit this disclosure in any way that is not otherwise expresslyreflected in the appended claims.

EXAMPLE IMPLEMENTATIONS

The following examples are provided by way of illustration.

Example 1 includes a network switching apparatus, comprising: aplurality ingress port; a plurality of egress ports; a ternary contentaddressable memory (TCAM) comprising a plurality of chunks, wherein thechunks can be atomically enabled or disabled; a switching circuit toswitch traffic from the ingress port to a selected egress port accordingto an access control list (ACL) of the TCAM; and one or morenon-transitory mediums having stored thereon instructions to atomicallyadd or update two or more target rules, comprising: add the two or moretarget rules to one or more target-rule chunks; and atomically enablethe target-rule chunks.

Example 2 includes the network switching apparatus of example 1, whereinadding the two or more rules to the target-rule chunk comprises addingthe rules with an inactive status while the target-rule chunk isenabled, and disabling the target-rule chunk.

Example 3 includes the network switching apparatus of example 1, whereinthe one or more non-transitory mediums further have instructions tosimultaneously disable one or more outdated-rules chunks having outdatedrules while enabling the target-rule chunks.

Example 4 includes the network switching apparatus of example 1, whereinthe one or more non-transitory mediums further have instructions tocreate a copy of an outdated rule with an active status, the copy havingthe same priority as the outdated rule and residing on a chunk otherthan a chunk hosting the original.

Example 5 includes the network switching apparatus of example 4, whereinthe one or more non-transitory mediums further have instructions to:identify a source rule to be updated, the source rule being located on asource-rule chunk; make a new rule having new criteria and an inactivestatus; add the new rule to an enabled updated-rule chunk; disable theupdated-rule chunk; change the status of the new rule to active; andsimultaneously enable the updated-rule chunk while disabling thesource-rule chunk.

Example 6 includes the network switching apparatus of example 1, whereinthe one or more non-transitory mediums further have instructions to:identify one or more source rules to be disabled; group the source ruleonto one or more source-rule chunks; group the two or more target rulesonto one or more target-rule chunks, the target rules having inactivestatus; while the one or more target-rule chunks are disabled, changethe target rules to active status; and simultaneously disable thesource-rule chunks while enabling the target-rule chunks.

Example 7 includes the network switching apparatus of example 6, whereinthe one or more mediums further have instructions to disable the one ormore target-rule chunks before changing the target rules to activestatus.

Example 8 includes the network switching apparatus of example 6, whereinthe source-rule chunks are exclusive chunks to be selected withreference to priority.

Example 9 includes the network switching apparatus of example 6, whereinthe target-rule chunks are exclusive chunks to be selected withreference to priority.

Example 10 includes the network switching apparatus of example 6,wherein one or more mediums further have instructions to clear orinactivate the source rules on the one or more source-rule chunks, andenable the one or more source rule chunks.

Example 11 includes the network switching apparatus of any of examples1-10, wherein enabling and disabling the chunks comprises writing to anACL configuration register, the ACL configuration register comprisingindividual flags to control the plurality of chunks in parallel.

Example 12 includes the network switching apparatus of any of examples1-10, wherein the ACL table is a ternary content-addressable memory(TCAM).

Example 13 includes the network switching apparatus of any of examples1-10, wherein the switching controller is an application-specificintegrated circuit (ASIC) or field-programmable gate array (FPGA).

Example 14 includes one or more tangible, non-transitorycomputer-readable storage mediums having stored thereon instructions foratomically updating an access control list (ACL) table having aplurality of chunks that can be atomically enabled and disabled, theinstructions to instruct a processor to: add the two or more targetrules to one or more target-rule chunks; and atomically enable thetarget-rule chunks.

Example 15 includes the one or more tangible, non-transitorycomputer-readable storage mediums of example 14, wherein adding the twoor more rules to the target-rule chunk comprises adding the rules withan inactive status while the target-rule chunk is enabled, and disablingthe target-rule chunk.

Example 16 includes the one or more tangible, non-transitorycomputer-readable storage mediums of example 14, wherein theinstructions are further to instruct the processor to simultaneouslydisable one or more outdated-rules chunks having outdated rules whileenabling the target-rule chunks.

Example 17 includes the one or more tangible, non-transitorycomputer-readable storage mediums of example 14, wherein theinstructions are further to instruct the processor to create a copy ofan outdated rule with an active status, the copy having the samepriority as the outdated rule and residing on a chunk other than a chunkhosting the original.

Example 18 includes the one or more tangible, non-transitorycomputer-readable storage mediums of example 17, wherein theinstructions are further to instruct the processor to: identify a sourcerule to be updated, the source rule located on a source-rule chunk; makea new rule having new criteria and an inactive status; add the new ruleto an enabled updated-rule chunk; disable the updated-rule chunk; changethe status of the new rule to active; and simultaneously enable theupdated-rule chunk while disabling the source-rule chunk.

Example 19 includes the one or more tangible, non-transitorycomputer-readable storage mediums of example 14, wherein theinstructions are further to instruct the processor to: identify one ormore source rules to be disabled; group the source rule onto one or moresource-rule chunks; group the two or more target rules onto one or moretarget-rule chunks, the target rules having inactive status; while theone or more target-rule chunks are disabled, change the target rules toactive status; and simultaneously disable the source-rule chunks whileenabling the target-rule chunks.

Example 20 includes the one or more tangible, non-transitorycomputer-readable storage mediums of example 19, wherein theinstructions are further to instruct the processor to disable the one ormore target-rule chunks before changing the target rules to activestatus.

Example 21 includes the one or more tangible, non-transitorycomputer-readable storage mediums of example 9, wherein the source-rulechunks are exclusive chunks to be selected with reference to priority.

Example 22 includes the one or more tangible, non-transitorycomputer-readable storage mediums of example 19, wherein the target-rulechunks are exclusive chunks to be selected with reference to priority.

Example 23 includes the one or more tangible, non-transitorycomputer-readable storage mediums of example 19, wherein theinstructions are further to instruct the processor to clear orinactivate the source rules on the one or more source-rule chunks, andenable the one or more source rule chunks.

Example 24 includes an apparatus comprising the one or more tangible,non-transitory computer-readable mediums of any of examples 14-23.

Example 25 includes the apparatus of example 24, further comprisingmeans to carry out the instructions.

Example 26 includes the apparatus of example 25, wherein the meanscomprise a microprocessor.

Example 27 includes the apparatus of example 25, further comprising aningress interface and a plurality of egress interfaces.

Example 28 includes the apparatus of example 25, wherein the apparatusis a network switch or router.

Example 29 includes a method of providing atomic update of an accesscontrol list (ACL) table, comprising: communicatively coupling to theACL table, wherein the ACL table comprises a plurality of chunksconfigured to receive enable signals in parallel, the enable signals toenable or disable a single chunk; add target rules to one or moretarget-rule chunks; and atomically enable the target-rule chunks.

Example 30 includes the method of example 29, wherein adding the two ormore rules to the target-rule chunk comprises adding the rules with aninactive status while the target-rule chunk is enabled, and disablingthe target-rule chunk.

Example 31 includes the method of example 29, further comprisingatomically disabling one or more outdated-rules chunks having outdatedrules while enabling the target-rule chunks.

Example 32 includes the method of example 29, further comprisingcreating a copy of an outdated rule with an active status, the copyhaving the same priority as the outdated rule and residing on a chunkother than a chunk hosting the original.

Example 33 includes the method of example 32, further comprising:identifying a source rule to be updated, the source rule located on asource-rule chunk; making a new rule having new criteria and an inactivestatus; adding the new rule to an enabled updated-rule chunk; disablingthe updated-rule chunk; changing the status of the new rule to active;and atomically enabling the updated-rule chunk and disabling thesource-rule chunk.

Example 34 includes the method of example 29, further comprising:identifying one or more source rules to be disabled; grouping the sourcerule onto one or more source-rule chunks; grouping the two or moretarget rules onto one or more target-rule chunks, the target ruleshaving inactive status; while the one or more target-rule chunks aredisabled, changing the target rules to active status; and atomicallydisabling the source-rule chunks and enabling the target-rule chunks.

Example 35 includes the method of example 29, further comprisingdisabling the one or more target-rule chunks.

Example 36 includes the method of example 35, wherein the source-rulechunks are exclusive chunks to be selected with reference to priority.

Example 37 includes the method of example 35, wherein the target-rulechunks are exclusive chunks to be selected with reference to priority.

Example 38 includes the method of example 35, further comprisingclearing or inactivating the source rules on the one or more source-rulechunks, and enabling the one or more source rule chunks.

Example 39 includes an apparatus comprising means for performing themethod of any of examples 29-38.

Example 40 includes the apparatus of example 39, wherein the meanscomprise a processor and a memory.

Example 41 includes the apparatus of example 39, further comprising aternary content-addressable memory (TCAM) to hold the ACL table.

Example 42 includes the apparatus of example 39, further comprising anACL configuration register to atomically enable and disable the chunks.

Example 43 includes one or more tangible, non-transitorycomputer-readable mediums having stored thereon instructions that, whenexecuted, perform the method or realize the apparatus of any of examples29-42.

What is claimed is:
 1. A network switching apparatus, comprising: aningress port; a plurality of egress ports; a ternary content addressablememory (TCAM) comprising a plurality of chunks, wherein the chunks canbe atomically enabled or disabled; a switching circuit to switch trafficfrom the ingress port to a selected egress port according to an accesscontrol list (ACL) of the TCAM; and one or more non-transitory mediumshaving stored thereon instructions to atomically add or update two ormore target rules, wherein the instructions are to: add the two or moretarget rules to one or more target-rule chunks, comprising adding thetarget rules with an inactive status while the target-rule chunk isenabled, and disabling the target-rule chunk; and atomically enable thetarget-rule chunks.
 2. The network switching apparatus of claim 1,wherein the one or more non-transitory mediums further have instructionsto simultaneously disable one or more outdated-rules chunks havingoutdated rules while enabling the target-rule chunks.
 3. The networkswitching apparatus of claim 1, wherein the one or more non-transitorymediums further have instructions to create a copy of an outdated rulewith an active status, the copy having the same priority as the outdatedrule and residing on a chunk other than a chunk hosting the outdatedrule.
 4. The network switching apparatus of claim 3, wherein the one ormore non-transitory mediums further have instructions to: identify asource rule to be updated, the source rule being located on asource-rule chunk; make a new rule having new criteria and an inactivestatus; add the new rule to an enabled updated-rule chunk; disable theupdated-rule chunk; change the status of the new rule to active; andsimultaneously enable the updated-rule chunk while disabling thesource-rule chunk.
 5. The network switching apparatus of claim 1,wherein the one or more non-transitory mediums further have instructionsto: identify one or more source rules to be disabled; group the sourcerule onto one or more source-rule chunks; group the two or more targetrules onto one or more target-rule chunks, the target rules havinginactive status; while the one or more target-rule chunks are disabled,change the target rules to active status; and simultaneously disable thesource-rule chunks while enabling the target-rule chunks.
 6. The networkswitching apparatus of claim 5, wherein the one or more non-transitorymediums further have instructions to disable the one or more target-rulechunks before changing the target rules to active status.
 7. The networkswitching apparatus of claim 5, wherein the source-rule chunks areexclusive chunks to be selected with reference to priority.
 8. Thenetwork switching apparatus of claim 5, wherein the target-rule chunksare exclusive chunks to be selected with reference to priority.
 9. Thenetwork switching apparatus of claim 5, wherein one or more mediumsfurther have instructions to clear or inactivate the source rules on theone or more source-rule chunks, and enable the one or more source rulechunks.
 10. The network switching apparatus of claim 1, wherein enablingand disabling the chunks comprises writing to an ACL configurationregister, the ACL configuration register comprising individual flags tocontrol the plurality of chunks in parallel.
 11. The network switchingapparatus of claim 1, wherein the switching circuit is anapplication-specific integrated circuit (ASIC) or field-programmablegate array (FPGA).
 12. One or more tangible, non-transitorycomputer-readable storage mediums having stored thereon instructions foratomically updating an access control list (ACL) table having aplurality of chunks that can be atomically enabled and disabled, theinstructions to instruct a processor to: provide network switchingservices, comprising switching network traffic from ingress port to aplurality of egress ports, according to the ACL table, wherein the ACLtable is stored on a ternary content addressable memory (TCAM); add twoor more target rules to one or more target-rule chunks of the TCAM,comprising adding the target rules with an inactive status while thetarget-rule chunk is enabled, and disabling the target-rule chunk; andatomically enable the target-rule chunks.
 13. The one or more tangible,non-transitory computer-readable storage mediums of claim 12, whereinthe instructions are further to instruct the processor to simultaneouslydisable one or more outdated-rules chunks having outdated rules whileenabling the target-rule chunks.
 14. The one or more tangible,non-transitory computer-readable storage mediums of claim 12, whereinthe instructions are further to instruct the processor to create a copyof an outdated rule with an active status, the copy having the samepriority as the outdated rule and residing on a chunk than a chunkhosting the outdated rule.
 15. The one or more tangible, non-transitorycomputer-readable storage mediums of claim 14, wherein the instructionsare further to instruct the processor to: identify a source rule to beupdated, the source rule located on a source-rule chunk; make a new rulehaving new criteria and an inactive status; add the new rule to anenabled updated-rule chunk; disable the updated-rule chunk; change thestatus of the new rule to active; and simultaneously enable theupdated-rule chunk while disabling the source-rule chunk.
 16. The one ormore tangible, non-transitory computer-readable storage mediums of claim12, wherein the instructions are further to instruct the processor to:identify one or more source rules to be disabled; group the source ruleonto one or more source-rule chunks; group the two or more target rulesonto one or more target-rule chunks, the target rules having inactivestatus; while the one or more target-rule chunks are disabled, changethe target rules to active status; and simultaneously disable thesource-rule chunks while enabling the target-rule chunks.
 17. The one ormore tangible, non-transitory computer-readable storage mediums of claim16, wherein the instructions are further to instruct the processor todisable the one or more target-rule chunks before changing the targetrules to active status.
 18. The one or more tangible, non-transitorycomputer-readable storage mediums of claim 8, wherein the source-rulechunks are exclusive chunks to be selected with reference to priority.19. The one or more tangible, non-transitory computer-readable storagemediums of claim 16, wherein the target-rule chunks are exclusive chunksto be selected with reference to priority.
 20. The one or more tangible,non-transitory computer-readable storage mediums of claim 16, whereinthe instructions are further to instruct the processor to clear orinactivate the source rules on the one or more source-rule chunks, andenable the one or more source rule chunks.
 21. A method of providingatomic update of an access control list (ACL) table, comprising:providing network switching between an ingress port and a plurality ofegress ports, according to the ACL table; communicatively coupling tothe ACL table, wherein the ACL table is stored on a ternary contentaddressable memory (TCAM) comprising a plurality of chunks configured toreceive enable signals in parallel, the enable signals to enable ordisable a single chunk; add target rules to one or more target-rulechunks, comprising adding the target rules with an inactive status whilethe target-rule chunk is enabled, and disabling the target-rule chunk;and atomically enable the target-rule chunks.
 22. The method of claim21, further comprising simultaneously disabling one or moreoutdated-rules chunks having outdated rules while enabling thetarget-rule chunks.
 23. The method of claim 21, further comprisingcreating a copy of an outdated rule with an active status, the copyhaving the same priority as the outdated rule and residing on a chunkother than a chunk hosting the outdated rule.
 24. The method of claim21, further comprising: identifying a source rule to be updated, thesource rule located on a source-rule chunk; making a new rule having newcriteria and an inactive status; adding the new rule to an enabledupdated-rule chunk; disabling the updated-rule chunk; changing thestatus of the new rule to active; and simultaneously enabling theupdated-rule chunk while disabling the source-rule chunk.